CYB236 Chapter 8: Host-based Intrusion Detection Systems

Questions and Answers

What is the primary function of a host-based IDPS?

To monitor the Internet for potential threats

To monitor the entire network for suspicious activity

To monitor the organization's firewall for unauthorized access

To monitor the characteristics of a single host and the events occurring within that host for suspicious activity (correct)

What is the typical component of most host-based IDPSs installed on the hosts of interest?

Proxies

Sensors

Agents (correct)

Gateways

What does an agent designed to monitor a server typically monitor?

The OS and common client applications

The OS and some common applications (correct)

Only the operating system (OS)

Only common applications

What is an application-based IDPS also known as?

Some agents perform monitoring for a specific application service only

Where do agents deploy to in a network architecture?

To existing hosts on the organization's networks

What do agents communicate over in a network architecture?

Same networks

What is the primary difference between a host-based IDPS and a network-based IDPS?

The scope of monitoring

What is the purpose of a prevention action in a host-based IDPS?

To respond to suspicious activity

What is the primary function of a shim in a host-based IDPS?

To intercept, analyse, and determine allowing or denying access

What type of architecture do host-based IDPSs use?

Host-based

What is logged by host-based IDPSs?

Timestamp, event type, event details, and prevention action performed

What is an example of an event detected by host-based IDPSs?

All of the above

What is a limitation of host-based IDPSs?

All of the above

What is a prevention capability of host-based IDPSs?

Preventing code from being executed

Where are appliance-based agents deployed?

Inline, in front of the hosts they protect

What is a security capability of host-based IDPSs?

All of the above

What is the primary purpose of Network Traffic Filtering?

To prevent unauthorized access and acceptable use policy violations

What is the function of Filesystem Monitoring?

To prevent files from being accessed, modified, replaced, or deleted

What is the purpose of Removable Media Restriction?

To prevent malware from being transferred or copied to or from the host

What does Audiovisual Device Monitoring indicate?

If the host is compromised

What is the function of Host Hardening?

To detect and enable disabled security functions

What is the purpose of Process Status Monitoring?

To monitor the status of processes or services and security programs

What is Network Traffic Sanitization used for?

To prevent sensitive information from being displayed on web server pages

What is unique about updating agents in host-based IDPSs?

It is related to the type of operating system

What is a common capability offered by most host-based IDPSs?

Management capabilities